Merge remote-tracking branch 'upstream/main' into cherry-pick

Author: dbasunag

.github/workflows/add-remove-labels.yml

@@ -4,6 +4,10 @@ on:
     types: [synchronize]
 
   pull_request_review:
+    types: [submitted, edited]
+
+  pull_request_review_comment:
+    types: [created, edited]
 
   issue_comment:
     types: [created, edited, deleted]
@@ -39,12 +43,13 @@ jobs:
 
       - name: Run add remove labels
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.OPENDATAHUB_TESTS_BOT_PAT }}
           GITHUB_PR_NUMBER: "${{ github.event.pull_request.number || github.event.issue.number }}"
           GITHUB_EVENT_ACTION: ${{ github.event.action }}
           GITHUB_EVENT_REVIEW_STATE: ${{ github.event.review.state }}
           GITHUB_EVENT_NAME: ${{ github.event_name }}
           COMMENT_BODY: ${{ github.event.comment.body }}
+          REVIEW_COMMENT_BODY: ${{ github.event.review.body }}
           GITHUB_USER_LOGIN: ${{ github.event.sender.login }}
           ACTION: "add-remove-labels"
         run: uv run python .github/workflows/scripts/pr_workflow.py

.github/workflows/build-push-container-on-merge.yml

@@ -0,0 +1,56 @@
+name: Build and Push Container Image On PR Merge
+
+on:
+  pull_request_target:
+    types: [closed]
+
+permissions:
+  pull-requests: write
+  contents: write
+  issues: write
+
+jobs:
+  if_merged:
+    if: github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+      - name: Set env TAG
+        run: |
+          if [ ${{ github.event.pull_request.base.ref }} == "main" ]; then
+              echo "TAG=latest" >> $GITHUB_ENV
+          else
+              echo "TAG=${{ github.event.pull_request.base.ref }}" >> "$GITHUB_ENV"
+          fi
+      - name: Build Image
+        id: build-image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          image: opendatahub-tests
+          tags: ${{ env.TAG }}
+          containerfiles: |
+            ./Dockerfile
+
+      - name: Push To Image Registry
+        id: push-to-registry
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ steps.build-image.outputs.image }}
+          tags: ${{ steps.build-image.outputs.tags }}
+          registry: quay.io/opendatahub
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+
+      - name: Add comment to PR
+        if: always()
+        env:
+          URL: ${{ github.event.pull_request.comments_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          curl \
+            -X POST \
+            $URL \
+            -H "Content-Type: application/json" \
+            -H "Authorization: token $GITHUB_TOKEN" \
+            --data '{ "body": "Status of building tag ${{ env.TAG }}: ${{ steps.build-image.outcome }}. \nStatus of pushing tag ${{ env.TAG }} to image registry: ${{ steps.push-to-registry.outcome }}." }'

.github/workflows/on-review-add-label.yml

@@ -0,0 +1,88 @@
+name: Run Label Action on PR Review Event
+on:
+  workflow_run:
+    workflows: ["Dummy Workflow on review"]
+    types:
+      - completed
+permissions:
+  pull-requests: write
+  contents: write
+  issues: write
+
+jobs:
+  run_on_workflow_a_success:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run this on Dummy workflow success
+        run: echo "Dummy Workflow on review completes successfully"
+  download_context_artifact:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Download artifact'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+
+            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "context.json"
+            })[0];
+
+            let download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+
+            let fs = require('fs');
+            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/context.zip`, Buffer.from(download.data));
+
+      - name: 'Unzip artifact'
+        run: unzip context.zip
+      - name: 'Return Parsed JSON'
+        uses: actions/github-script@v7
+        id: return-parsed-json
+        with:
+          script: |
+            let fs = require('fs');
+            let data = fs.readFileSync('./context.json');
+            return JSON.parse(data);
+    outputs:
+      pr_num: ${{fromJSON(steps.return-parsed-json.outputs.result).pr_num}}
+      event_action: ${{fromJSON(steps.return-parsed-json.outputs.result).event_action}}
+      review_state: ${{fromJSON(steps.return-parsed-json.outputs.result).review_state}}
+      event_name: ${{fromJSON(steps.return-parsed-json.outputs.result).event_name}}
+      comment_body: ${{fromJSON(steps.return-parsed-json.outputs.result).comment_body}}
+      review_comment_body: ${{fromJSON(steps.return-parsed-json.outputs.result).review_comment_body}}
+      user_login: ${{fromJSON(steps.return-parsed-json.outputs.result).user_login}}
+      action: ${{fromJSON(steps.return-parsed-json.outputs.result).action}}
+  log_context_values:
+    needs:
+      - download_context_artifact
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Set all Env Variable'
+        run: |
+          echo "GITHUB_PR_NUMBER=${{ needs.download_context_artifact.outputs.pr_num }}" >> "$GITHUB_ENV"
+          echo "GITHUB_EVENT_ACTION=${{ needs.download_context_artifact.outputs.event_action }}"  >> "$GITHUB_ENV"
+          echo "GITHUB_EVENT_REVIEW_STATE=${{ needs.download_context_artifact.outputs.review_state }}"  >> "$GITHUB_ENV"
+          echo "GITHUB_EVENT_NAME=${{ needs.download_context_artifact.outputs.event_name }}"  >> "$GITHUB_ENV"
+          echo "COMMENT_BODY=${{ needs.download_context_artifact.outputs.comment_body }}"  >> "$GITHUB_ENV"
+          echo "REVIEW_COMMENT_BODY=${{ needs.download_context_artifact.outputs.review_comment_body }}"  >> "$GITHUB_ENV"
+          echo "GITHUB_USER_LOGIN=${{ needs.download_context_artifact.outputs.user_login }}"  >> "$GITHUB_ENV"
+          echo "ACTION=${{ needs.download_context_artifact.outputs.action }}"  >> "$GITHUB_ENV"
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+      - name: 'Run add-remove-labels action'
+        env:
+          GITHUB_TOKEN: ${{ secrets.OPENDATAHUB_TESTS_BOT_PAT }}
+          GITHUB_EVENT_NAME: ${{ needs.download_context_artifact.outputs.event_name }}
+        run: uv run python .github/workflows/scripts/pr_workflow.py

.github/workflows/scripts/constants.py

@@ -11,6 +11,7 @@
 SUCCESS_STR: str = "success"
 FAILURE_STR: str = "failure"
 QUEUED_STR: str = "queued"
+APPROVED: str = "approved"
 
 SUPPORTED_LABELS: set[str] = {
     f"{LABEL_PREFIX}{WIP_LABEL_STR}",

.github/workflows/scripts/pr_workflow.py

@@ -6,6 +6,10 @@
 
 from github.PullRequest import PullRequest
 from github.Repository import Repository
+from github.MainClass import Github
+from github.GithubException import UnknownObjectException
+from github.Organization import Organization
+from github.Team import Team
 
 from constants import (
     ALL_LABELS_DICT,
@@ -20,8 +24,8 @@
     SUPPORTED_LABELS,
     VERIFIED_LABEL_STR,
     WELCOME_COMMENT,
+    APPROVED,
 )
-from github import Github, UnknownObjectException
 from simple_logger.logger import get_logger
 
 LOGGER = get_logger(name="pr_labeler")
@@ -41,6 +45,7 @@ class SupportedActions:
     def __init__(self) -> None:
         self.repo: Repository
         self.pr: PullRequest
+        self.gh_client: Github
 
         self.repo_name = os.environ["GITHUB_REPOSITORY"]
         self.pr_number = int(os.getenv("GITHUB_PR_NUMBER", 0))
@@ -77,8 +82,8 @@ def verify_base_config(self) -> None:
         )
 
     def set_gh_config(self) -> None:
-        gh_client: Github = Github(login_or_token=self.github_token)
-        self.repo = gh_client.get_repo(full_name_or_id=self.repo_name)
+        self.gh_client = Github(login_or_token=self.github_token)
+        self.repo = self.gh_client.get_repo(full_name_or_id=self.repo_name)
         self.pr = self.repo.get_pull(number=self.pr_number)
 
 
@@ -87,12 +92,29 @@ def __init__(self) -> None:
         super().__init__()
         self.user_login = os.getenv("GITHUB_USER_LOGIN")
         self.review_state = os.getenv("GITHUB_EVENT_REVIEW_STATE")
+        # We don't care if the body of the comment is in the discussion page or a review
         self.comment_body = os.getenv("COMMENT_BODY", "")
+        if self.comment_body == "":
+            # if it wasn't a discussion page comment, try to get a review comment, otherwise keep empty
+            self.comment_body = os.getenv("REVIEW_COMMENT_BODY", "")
         self.last_commit = list(self.pr.get_commits())[-1]
         self.last_commit_sha = self.last_commit.sha
 
         self.verify_labeler_config()
 
+    def verify_allowed_user(self) -> None:
+        org: Organization = self.gh_client.get_organization("opendatahub-io")
+        # slug is the team name with replaced special characters,
+        # all words to lowercase and spaces replace with a -
+        team: Team = org.get_team_by_slug("opendatahub-tests-contributors")
+        try:
+            # check if the user is a member of opendatahub-tests-contributors
+            membership = team.get_team_membership(self.user_login)
+            LOGGER.info(f"User {self.user_login} is a member of the test contributor team. {membership}")
+        except UnknownObjectException:
+            LOGGER.error(f"User {self.user_login} is not allowed for this action. Exiting.")
+            sys.exit(0)
+
     def verify_labeler_config(self) -> None:
         if self.action == self.SupportedActions.add_remove_labels_action_name and self.event_name in (
             "issue_comment",
@@ -101,17 +123,18 @@ def verify_labeler_config(self) -> None:
             if not self.user_login:
                 sys.exit("`GITHUB_USER_LOGIN` is not set")
 
-            if self.event_name == "issue_comment" and not self.comment_body:
-                sys.exit("`COMMENT_BODY` is not set")
-
-            if self.event_name == "pull_request_review" and not self.review_state:
-                sys.exit("`GITHUB_EVENT_REVIEW_STATE` is not set")
+            if (
+                self.event_name == "issue_comment" or self.event_name == "pull_request_review"
+            ) and not self.comment_body:
+                LOGGER.info("No comment, nothing to do. Exiting.")
+                sys.exit(0)
 
     def run_pr_label_action(self) -> None:
         if self.action == self.SupportedActions.pr_size_action_name:
             self.set_pr_size()
 
         if self.action == self.SupportedActions.add_remove_labels_action_name:
+            self.verify_allowed_user()
             self.add_remove_pr_labels()
 
         if self.action == self.SupportedActions.welcome_comment_action_name:
@@ -226,6 +249,10 @@ def add_remove_pr_labels(self) -> None:
 
             return
 
+        # We will only reach here if the PR was created from a fork
+        elif self.event_name == "workflow_run" and self.event_action == "submitted":
+            self.pull_request_review_label_actions()
+
         LOGGER.warning("`add_remove_pr_label` called without a supported event")
 
     def pull_request_review_label_actions(
@@ -239,7 +266,7 @@ def pull_request_review_label_actions(
         label_to_remove = None
         label_to_add = None
 
-        if self.review_state == "approved":
+        if self.review_state == APPROVED:
             label_to_remove = change_requested_label
             label_to_add = lgtm_label
 
@@ -276,12 +303,20 @@ def issue_comment_label_actions(
             LOGGER.info(f"Processing labels: {labels}")
             for label, action in labels.items():
                 if label == LGTM_LABEL_STR:
-                    label = f"{LGTM_BY_LABEL_PREFIX}{self.user_login}"
+                    if self.user_login == self.pr.user.login:
+                        LOGGER.info("PR submitter cannot approve for their own PR")
+                        continue
+                    else:
+                        label = f"{LGTM_BY_LABEL_PREFIX}{self.user_login}"
+                        if not action[CANCEL_ACTION] or self.event_action == "deleted":
+                            self.approve_pr()
 
                 label_in_pr = any([label == _label.lower() for _label in self.pr_labels])
                 LOGGER.info(f"Processing label: {label}, action: {action}")
 
                 if action[CANCEL_ACTION] or self.event_action == "deleted":
+                    if label == LGTM_LABEL_STR:
+                        self.dismiss_pr_approval()
                     if label_in_pr:
                         LOGGER.info(f"Removing label {label}")
                         self.pr.remove_from_labels(label=label)
@@ -296,7 +331,23 @@ def issue_comment_label_actions(
 
     def add_welcome_comment_set_assignee(self) -> None:
         self.pr.create_issue_comment(body=WELCOME_COMMENT)
-        self.pr.add_to_assignees(self.pr.user.login)
+        try:
+            self.pr.add_to_assignees(self.pr.user.login)
+        except UnknownObjectException:
+            LOGGER.warning(f"User {self.pr.user.login} can not be assigned to the PR.")
+
+    def approve_pr(self) -> None:
+        self.pr.create_review(event="APPROVE")
+
+    def dismiss_pr_approval(self) -> None:
+        all_reviews = self.pr.get_reviews()
+        current_user = self.gh_client.get_user().login
+        LOGGER.info(f"Looking for approving review by user {current_user}")
+        # The reviews are paginated in chronological order. We need to get the newest by our account
+        for review in all_reviews.reversed:
+            if review.user.login == current_user and review.state == APPROVED:
+                LOGGER.info(f"found review by user {current_user} with id {review.id}")
+                review.dismiss(message="Dismissing review due to '/lgtm cancel' comment")
 
 
 def main() -> None:

.github/workflows/workflow-review.yml

@@ -0,0 +1,33 @@
+name: Dummy Workflow on review
+
+on:
+  pull_request_review:
+    types: [submitted, edited]
+
+permissions:
+  pull-requests: write
+  contents: write
+  issues: write
+
+jobs:
+
+  dummy-workflow:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: save the pr information
+        run: |
+            printf '{
+              "pr_num": "${{ github.event.pull_request.number || github.event.issue.number }}",
+              "event_action": "${{ github.event.action }}",
+              "review_state": "${{ github.event.review.state }}",
+              "event_name": "${{ github.event_name }}",
+              "comment_body": "${{ github.event.comment.body }}",
+              "review_comment_body": "${{ github.event.review.body }}",
+              "user_login": "${{ github.event.sender.login }}",
+              "action": "add-remove-labels"
+            }' >> context.json
+      - uses: actions/upload-artifact@v4
+        with:
+          name: context.json
+          path: ./